MAL-2026-6241

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/atlasora-shared/MAL-2026-6241.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6241

Published

2026-06-20T13:10:07Z

Modified

2026-06-20T13:46:43.304111349Z

Summary

Malicious code in atlasora-shared (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e1bd49976f774ef8357d29c74bc366b851e69a611cc5894f1a59621d91f9daba)

package.json declares "postinstall": "node install.js", causing install.js to run automatically on npm install. install.js requires https, fs, os, and child_process, collects host identifiers via os.hostname() and os.userInfo(), executes shell commands via execSync(...), probes filesystem paths with fs.existsSync(...), and POSTs the collected data to a remote endpoint via https.request(...). This is the canonical install-time system-information exfiltration pattern: identifying data is gathered from the installer's machine and beaconed outbound on every install, with no documented purpose tied to the package's stated function. Installing this package automatically leaks host and user information to an external destination.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "e1bd49976f774ef8357d29c74bc366b851e69a611cc5894f1a59621d91f9daba",
            "source": "amazon-inspector",
            "modified_time": "2026-06-20T13:10:07Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-007099",
            "import_time": "2026-06-20T13:37:51.506780736Z"
        }
    ]
}

References

https://www.npmjs.com/package/atlasora-shared/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / atlasora-shared

Package

Name: atlasora-shared; View open source insights on deps.dev
Purl: pkg:npm/atlasora-shared

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/atlasora-shared/MAL-2026-6241.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "5849f99b3c22a51b079d3d793718c0b48cde0e1c6ed7d7738edaf87e8e01eb88",
            "tlsh": "887175a180f6026056d33ae7e58f24252215f153be12eed43ddc12519f8a62c86f2bff",
            "path": "install.js"
        },
        {
            "sha256": "06c2fc52d2f806e4e2dafa107c2c0e6faa3dcdb45edc1ed280e87755415fee36",
            "tlsh": "c7f02730ab20dc635bd8a7a85d27514675308e0bc448ac2d36cb212c979f76629beb18",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-peDCUY8+XjmQTJJxSx85wYnN7Qf5ZBgYExw0rPCUnprdTCLXNvENAwQSvMlm4FK7/t3jRUPEKeHjmcq1asIRQw==",
                "sha1": "b3ec923e851fc1c75d26f3399f05cb881b005c3f"
            },
            "filename": "atlasora-shared-1.0.0.tgz"
        }
    ]
}